Bring Your Own Windows desktop licenses - Amazon WorkSpaces
RequirementsWindows versions supported for BYOLAdd Microsoft Office to Your BYOL imageStep 1: Check the eligibility of your account for BYOL using the Amazon WorkSpaces consoleStep 2: Enable BYOL for your account for BYOL using the Amazon WorkSpaces consoleStep 3: Run the BYOL Checker PowerShell script on a Windows VMStep 4: Export the VM from your virtualization environmentStep 5: Import the VM as an image into Amazon EC2Step 6: Create a BYOL image using the WorkSpaces consoleStep 7: Create a custom bundle from the BYOL imageStep 8: Register a dedicated directory for WorkSpacesStep 9: Launch your BYOL WorkSpacesLink BYOL accounts

Bring Your Own Windows desktop licenses

If your licensing agreement with Microsoft allows it, you can bring and deploy your Windows 10 or 11 desktop on your WorkSpaces. To do this, you must enable Bring Your Own License (BYOL) and provide a Windows 10 or 11 license that meets the requirements below. For more information about using Microsoft software on AWS, see Amazon Web Services and Microsoft.

To stay compliant with Microsoft licensing terms, AWS runs your BYOL WorkSpaces on hardware that is dedicated to you in the AWS Cloud. By bringing your own license, you can provide a consistent experience for your users. For more information, see WorkSpaces Pricing.

Important

Image creation is not supported on Windows 10 or 11 systems that have been upgraded from one version of Windows 10 or 11 to a newer version of Windows 10 or 11 (a Windows feature/version upgrade). However, Windows cumulative or security updates are supported by the WorkSpaces image-creation process.

Requirements

Before you begin, verify the following:

  • Your Microsoft licensing agreement allows Windows to run in a virtual hosted environment.

  • If you will be using non-GPU-enabled bundles (bundles other than Graphics.g4dn, GraphicsPro.g4dn, Graphics, and GraphicsPro), verify that you will use a minimum of 100 WorkSpaces per Region. These 100 WorkSpaces can be any mix of AlwaysOn and AutoStop WorkSpaces. Using a minimum of 100 WorkSpaces per Region is a requirement for running your WorkSpaces on dedicated hardware. Running your WorkSpaces on dedicated hardware is necessary to comply with Microsoft licensing requirements. The dedicated hardware is provisioned on the AWS side, so your VPC can stay on default tenancy.

    If you plan to use GPU-enabled (Graphics.g4dn, GraphicsPro.g4dn, Graphics, and GraphicsPro) bundles, verify that you will run a minimum of 4 AlwaysOn or 20 AutoStop GPU-enabled WorkSpaces in a Region per month on dedicated hardware.

    Note

    • Graphics.g4dn, GraphicsPro.g4dn, Graphics, and GraphicsPro bundles can be created only for the PCoIP protocol at this time.

    • Graphics bundle is no longer supported after November 30, 2023. We recommend migrating your WorkSpaces to Graphics.g4dn bundle. For more information, see Migrate a WorkSpace.

    • Graphics and GraphicsPro bundles aren't currently available in the Asia Pacific (Mumbai) Region.

    • Graphics.g4dn, GraphicsPro.g4dn, Graphics, and GraphicsPro bundles aren't currently available in the Africa (Cape Town) Region.

    • To run your WorkSpaces in the Africa (Cape Town) Region, you are required to run a minimum of 400 WorkSpaces in the Africa (Cape Town) Region.

    • Windows 11 bundles can be created only for the WSP protocol.

    • Graphics.g4dn and GraphicsPro.g4dn bundles aren’t currently available for Windows 11.

    • Graphics and GraphicsPro bundles are not supported for Windows 11.

    • Value bundles are not available for Windows 11. For more information about migrating your existing value bundle WorkSpaces see Migrate a WorkSpace.

    • For the best video conferencing experience we recommend using Power or PowerPro bundles

  • WorkSpaces can use a management interface in the /16 IP address range. The management interface is connected to a secure WorkSpaces management network used for interactive streaming. This allows WorkSpaces to manage your WorkSpaces. For more information, see Network interfaces. You must reserve a /16 netmask from at least one of the following IP address ranges for this purpose:

    • 10.0.0.0/8

    • 100.64.0.0/10

    • 172.16.0.0/12

    • 192.168.0.0/16

    • 198.18.0.0/15

    Note

    • As you adopt the WorkSpaces service, the available management interface IP address ranges frequently change. To determine which ranges are currently available, run the list-available-management-cidr-ranges AWS Command Line Interface (AWS CLI) command.

    • In addition to the /16 CIDR block that you select, the 54.239.224.0/20 IP address range is used for management interface traffic in all AWS Regions.

  • Make sure you have opened the necessary management interface ports for Microsoft Windows and Microsoft Office KMS activation for BYOL WorkSpaces. For more information, see Management interface ports.

  • You have a virtual machine (VM) that runs a supported 64-bit version of Windows. For a list of supported versions, see the next section in this topic, Windows versions supported for BYOL. The VM must also meet these requirements:

    • The Windows operating system must be activated against your key management servers.

    • The Windows operating system must have English (United States) as the primary language.

    • No software beyond what is included with Windows can be installed on the VM. You can add additional software, such as an antivirus solution, when you later create a custom image.

    • Do not customize the default user profile (C:\Users\Default) or make other customizations before creating an image. All customizations should be made after image creation. We recommend making any customizations to the user profile through Group Policy Objects (GPOs) and applying them after image creation. This is because customizations done through GPOs can be easily modified or rolled back and are less prone to error than customizations made to the default user profile.

    • You must create a WorkSpaces_BYOL account with local administrator access before you share the image. The password for this account might be required later, so make note of it.

    • The VM must be on a single volume with a maximum size of 70 GB and at least 10 GB of free space. If you're also planning to subscribe to Microsoft Office for your BYOL image, the VM must be on a single volume with a maximum size of 70 GB and at least 20 GB of free space. The DISK that the root volume is on cannot exceed 70GB.

    • Your VM must run Windows PowerShell version 4 or later.

  • Make sure that you have installed the latest Microsoft Windows patches before you run the BYOL checker script in Step 3: Run the BYOL Checker PowerShell script on a Windows VM.

Note

  • For BYOL AutoStop WorkSpaces, a large number of concurrent logins could result in significantly increased time for WorkSpaces to be available. If you expect many users to log into your BYOL AutoStop WorkSpaces at the same time, please consult your account manager for advice.

  • Encrypted AMIs are not supported in the importing process. Ensure you disable the instance used to create the EC2 AMI has EBS encryption. Encryption can be enabled after the final WorkSpaces is provisioned.

Windows versions supported for BYOL

Your VM must run one of the following Windows versions:

  • Windows 10 Version 21H2 (December 2021 Update)

  • Windows 10 Version 22H2 (November 2022 Update)

  • Windows 10 Enterprise LTSC 2019 (1809)

  • Windows 10 Enterprise LTSC 2021 (21H2)

  • Windows 11 Version 23H2 (October 2023 release)

  • Windows 11 Version 22H2 (October 2022 release)

All supported OS versions support all of the compute types available in the AWS Region where you're using WorkSpaces. Versions of Windows that are no longer supported by Microsoft are not guaranteed to work and are not supported by AWS Support.

Note

Windows 10 N and Windows 11 N versions are not supported for BYOL at this time.

Add Microsoft Office to Your BYOL image

If you choose to subscribe to Office through AWS, additional charges will apply. For more information, see WorkSpaces Pricing.

Important

  • If Microsoft Office is already installed on the VM that you are using to create your BYOL image, you must uninstall it from the VM if you want to subscribe to Office through AWS.

  • If you plan to subscribe to Office through AWS, make sure that your VM has at least 20 GB of free disk space.

  • During image import, you can subscribe to Office 2016 or 2019 but not to Office 2021. For Office 2021 and other applications such as Microsoft Visio 2021 and Microsoft Project 2021, see Manage applications.

  • To bring your own Microsoft 365 licenses for both browser-based and desktop applications on Amazon WorkSpaces, install Microsoft 365 applications on your BYOL image after the BYOL image ingestion process is complete.

Note

Graphics.g4dn and GraphicsPro.g4dn BYOL images only support Office 2019 and do not support Office 2016.

If you choose to subscribe to Office, the BYOL image ingestion process takes a minimum of 3 hours.

For details about subscribing to Office during the BYOL ingestion process, see Step 6: Create a BYOL image using the WorkSpaces console.

Office language settings

We choose the language used for your Office subscription based on the AWS Region where you're performing your BYOL image ingestion. For example, if you're performing your BYOL image ingestion in the Asia Pacific (Tokyo) Region, your Office subscription has Japanese as its language.

By default, we install a number of frequently used Office language packs on your WorkSpaces. If the language pack that you want isn't installed, you can download additional language packs from Microsoft. For more information, see Language Accessory Pack for Office in the Microsoft documentation.

To change the language for Office, you have several options:

Individual users can adjust the Office language settings on their WorkSpaces. For more information, see Add an editing or authoring language or set language preferences in Office in the Microsoft documentation.

You can use Group Policy Object (GPO) settings to enforce default Office language settings for your WorkSpaces users.

Note

Your WorkSpaces users will not be able to override language settings enforced through GPO.

For more information about using GPO to set the language for Office, see Customize language setup and settings for Office in the Microsoft documentation. Office 2016 and Office 2019 use the same GPO settings (labeled with Office 2016).

To work with GPOs, you must install the Active Directory administration tools. For information about using the Active Directory administration tools to work with GPOs, see Set up Active Directory Administration Tools for WorkSpaces.

Before you can configure Office 2016 or Office 2019 policy settings, you must download the administrative template files (.admx/.adml) for Office from the Microsoft Download Center. After you download the administrative template files, you must add the office16.admx and office16.adml files to the Central Store of the domain controller for your WorkSpaces directory. (The office16.admx and office16.adml files apply to both Office 2016 and Office 2019.) For more information about working with .admx and .adml files, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows in the Microsoft documentation.

The following procedure describes how to create the Central Store and add the administrative template files to it. Perform the following procedure on a directory administration WorkSpace or Amazon EC2 instance that is joined to your WorkSpaces directory.

To install the Group Policy administrative template files for Office

  1. Download the administrative template files (.admx/.adml) for Office from the Microsoft Download Center.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open Windows File Explorer, and in the address bar, enter your organization's fully qualified domain name (FQDN), such as \\example.com.

  3. Open the SYSVOL folder.

  4. Open the folder with the FQDN name.

  5. Open the Policies folder. You should now be in \\FQDN\SYSVOL\FQDN\Policies.

  6. If it doesn't already exist, create a folder named PolicyDefinitions.

  7. Open the PolicyDefinitions folder.

  8. Copy the office16.admx file into the \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions folder.

  9. Create a folder named en-US in the PolicyDefinitions folder.

  10. Open the en-US folder.

  11. Copy the office16.adml file into the \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\en-US folder.

To configure the GPO language settings for Office

  1. On your directory administration WorkSpace or Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  2. Expand the forest (Forest:FQDN).

  3. Expand Domains.

  4. Expand your FQDN (for example, example.com).

  5. Select your FQDN, open the context (right-click) menu or open the Action menu, and choose Create a GPO in this domain, and Link it here.

  6. Name your GPO (for example, Office).

  7. Select your GPO, open the context (right-click) menu or open the Action menu, and choose Edit.

  8. In the Group Policy Management Editor, choose User Configuration, Policies, Administrative Template Policy definitions (ADMX files) retrieved from the local computer, Microsoft Office 2016, and Language Preferences.

    Note

    Office 2016 and Office 2019 use the same GPO settings (labeled with Office 2016). If you don't see Administrative Template Policy definitions (ADMX files) retrieved from the local computer under User Configuration, Policies, the office16.admx and office16.adml files aren't correctly installed on your domain controller.

  9. Under Language Preferences, specify the language that you want for the following settings. Be sure to set each setting to Enabled, and then under Options, select the language you want. Choose OK to save each setting.

    • Display Language > Display help in

    • Display Language > Display menus and dialog boxes in

    • Editing languages > Primary Editing Language

  10. Close the Group Policy Management tool when you're finished.

  11. Group Policy setting changes take effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • From an administrative command prompt, enter gpupdate /force.

To set the Office language settings through the registry, update the following registry settings:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\UILanguage

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\HelpLanguage

For these settings, add a DWORD key value with the appropriate Office locale ID (LCID). For example, the LCID for English (US) is 1033. Because LCIDs are decimal values, you must set the Base option for the DWORD value to Decimal. For a list of the Office LCIDs, see Language identifiers and OptionState Id values in Office 2016 in the Microsoft documentation.

You can apply these registry settings to your WorkSpaces through GPO settings or a logon script.

For more information about working with the language settings for Office, see Customize language setup and settings for Office in the Microsoft documentation.

Add Office to your existing BYOL WorkSpaces

You can also add a subscription to Office to your existing BYOL WorkSpaces by doing the following.

  • Manage applications (recommended) - You can install and configure Microsoft Office, Microsoft Visio, or Microsoft Project 2021 on your existing WorkSpaces. For more information, see Manage applications.

  • Migrate a WorkSpace - After you have a BYOL bundle with Office installed, you can use the WorkSpaces migration feature to migrate your existing BYOL WorkSpaces to the BYOL bundle that's subscribed to Office. For more information, see Migrate a WorkSpace.

Note

The manage applications option is available for installing Microsoft Office 2021 and other applications, such as Microsoft Visio 2021 and Microsoft Project 2021 to your WorkSpaces. For installing Microsoft Office 2016 or 2019 on your WorkSpaces, use Migrate a WorkSpace.

Migrate between versions of Microsoft Office

To migrate from one Microsoft Office version to another, you have the following options:

  • Manage applications (recommended) – You can uninstall the original Office version and install Office 2021 and other applications, such as Microsoft Visio 2021 and Microsoft Project 2021, on your existing WorkSpaces. For example, to migrate from Microsoft Office 2019 to Microsoft Office 2021, use the manage applications workflow to uninstall Microsoft Office 2019 and install Microsoft Office 2021. For more information, see Manage applications.

  • Migrate a WorkSpace – To migrate from Microsoft Office 2016 to Microsoft Office 2019 or from Microsoft Office 2019 to Microsoft Office 2016, you must create a BYOL bundle that's subscribed to the version of Office that you want to migrate to. Then, use the WorkSpaces migration feature to migrate your existing BYOL WorkSpaces that are subscribed to Office to the BYOL bundle that's subscribed to the version of Office that you want to migrate to. For example, to migrate from Microsoft Office 2016 to Microsoft Office 2019, create a BYOL bundle that's subscribed to Microsoft Office 2019. Then use the WorkSpaces migration feature to migrate your existing BYOL WorkSpaces that are subscribed to Office 2016 to the BYOL bundle that's subscribed to Office 2019. For more information, see Migrate a WorkSpace.

You can use these options to migrate your WorkSpaces that are subscribed to Microsoft Office through AWS to Microsoft 365 applications. However, manage applications is limited to uninstalling Microsoft Office from your WorkSpace. You must bring in your own tools and installers to install Microsoft 365 applications on your WorkSpaces.

Note

Using manage applications, you can install or uninstall Microsoft Office, Microsoft Visio, or MicrosoftProject 2021 on your WorkSpaces. For Microsoft Office 2016 or 2019 versions, you can only remove them from your WorkSpaces. To install Microsoft Office 2016 or 2019 on your WorkSpaces, migrate a WorkSpace.

For more information about the migration process, see Migrate a WorkSpace.

Unsubscribe from Office

To unsubscribe from Office, you have the following options.

  • Manage applications (recommended) - You can uninstall Microsoft Office and other applications such as Microsoft Visio and Microsoft Project from your WorkSpaces. For more information, see Manage applications.

  • Migrate a WorkSpace - You can create a BYOL bundle that is not subscribed to Office. Then use the WorkSpaces migration feature to migrate your existing BYOL WorkSpaces to the BYOL bundle that is not subscribed to Office. For more information, see Migrate a WorkSpace.

Office updates

If you have subscribed to Office through AWS, Office updates are included as part of your regular Windows updates. To stay current on all security patches and updates, we recommend that you periodically update your BYOL base images.

Step 1: Check the eligibility of your account for BYOL using the Amazon WorkSpaces console

Before you can enable your account for BYOL, you must go through a verification process to confirm your eligibility for BYOL. Until you go through this process, the Enable BYOL option will not be available in your Amazon WorkSpaces console.

Note

The verification process takes at least one business day. If you want to apply the CIDR range and BYOL configurations of an existing AWS account to a different one, you can link them together to use the same underlying hardware. To link your AWS accounts, you don't need to submit a support ticket. You can use APIs, such as CreateAccountLinkInvitations and AcceptAccountLinkInvitation to connect your AWS accounts. For more information, see Link BYOL accounts.

To check the eligibility of your account for BYOL by using the Amazon WorkSpaces console

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Account Settings, and then under Bring your own license (BYOL), choose View WorkSpaces BYOL settings. If your account is not currently eligible for BYOL, a message provides guidance for next steps. To get started, contact your AWS account manager or sales representative, or contact the AWS Support Center. Your contact will verify your eligibility for BYOL.

    To determine your eligibility for BYOL, your contact will need certain information from you. For example, you might be asked to answer the following questions.

    • Have you reviewed and accepted the BYOL requirements listed earlier?

    • In which AWS Regions do you need your account enabled for BYOL?

    • How many BYOL WorkSpaces do you plan to deploy per AWS Region?

    • What is your ramp-up plan?

    • Are you purchasing WorkSpaces from a reseller?

    • What bundle types do you need for BYOL?

    • Does your organization have any other AWS accounts enabled for BYOL in the same Region? If yes, do you want to link these accounts so that they use the same underlying hardware?

      If the accounts are linked, the total number of WorkSpaces deployed in these accounts is aggregated together for the purposes of determining your eligibility for BYOL. If the answer to both of these questions is yes, you can link your accounts together. You can use APIs, such as CreateAccountLinkInvitations and AcceptAccountLinkInvitation to connect your AWS accounts. If you want to link other BYOL-enabled accounts, but want to use a different BYOL setup (CIDR range and image), contact to AWS Support to enable your new account for BYOL.

  3. After your eligibility is confirmed for BYOL, you can proceed to the next step, where you enable BYOL for your account in the Amazon WorkSpaces console.

Step 2: Enable BYOL for your account for BYOL using the Amazon WorkSpaces console

To enable BYOL for your account, you must specify a management network interface. This interface is connected to a secure Amazon WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to Amazon WorkSpaces clients, and to allow Amazon WorkSpaces to manage the WorkSpace.

Note

You only need to perform the steps in this procedure once per Region to enable BYOL for your account.

To enable BYOL for your account by using the Amazon WorkSpaces console

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Account Settings, and then under Bring your own license (BYOL), choose View WorkSpaces BYOL settings.

  3. On the Account Settings page, under Bring Your Own License (BYOL), choose Enable BYOL.

    If you don't see the Enable BYOL option, this means that your account is not currently eligible for BYOL. For more information, see Step 1: Check the eligibility of your account for BYOL using the Amazon WorkSpaces console.

  4. Under Bring Your Own License (BYOL), in the Management network interface IP address range area, choose an IP address range, and then choose Display available CIDR blocks.

    Amazon WorkSpaces searches for and displays available IP address ranges as IPv4 Classless Inter-Domain Routing (CIDR) blocks, within the range that you specify. If you require a specific IP address range, you can edit the search range.

    Important

    After you specify an IP address range, you cannot modify it. Make sure to specify an IP address range that doesn't conflict with the ranges used by your internal network. If you have any questions about which range to specify, contact your AWS account manager or sales representative, or contact the AWS Support Center before proceeding.

  5. Choose the CIDR block that you want from the list of results, and then choose Enable BYOL.

    This process may take several hours. While WorkSpaces is enabling your account for BYOL, proceed to the next step.

Step 3: Run the BYOL Checker PowerShell script on a Windows VM

After you enable BYOL for your account, you must confirm that your VM meets the requirements for BYOL. To do so, perform these steps to download and run the WorkSpaces BYOL Checker PowerShell script. The script performs a series of tests on the VM that you plan to use to create your image.

Important

The VM must pass all tests before you can use it for BYOL.

To download the BYOL Checker script

Before you download and run the BYOL Checker script, verify that the latest Windows security updates are installed on your VM. While this script runs, it disables the Windows Update service.

  1. Download the BYOL Checker script .zip file from https://tools.amazonworkspaces.com/BYOLChecker.zip to your Downloads folder.

  2. In your Downloads folder, create a BYOL folder.

  3. Extract the files from BYOLChecker.zip and copy them to the Downloads\BYOL folder.

  4. Delete the Downloads\BYOLChecker.zip folder so that only the extracted files remain.

Perform these steps to run the BYOL Checker script.

To run the BYOL Checker script

  1. From the Windows desktop, open Windows PowerShell. Choose the Windows Start button, right-click Windows PowerShell, and choose Run as administrator. If you are prompted by User Account Control to choose whether you want PowerShell to make changes to your device, choose Yes.

  2. At the PowerShell command prompt, change to the directory where the BYOL Checker script is located. For example, if the script is located in the Downloads\BYOL directory, enter the following command and press Enter:

    cd C:\Users\username\Downloads\BYOL

  3. Enter the following command to update the PowerShell execution policy on the computer. Doing so allows the BYOL Checker script to run:

    Set-ExecutionPolicy AllSigned

  4. When prompted to confirm whether to change the PowerShell execution policy, enter A to specify Yes to All.

  5. Enter the following command to run the BYOL Checker script:

    .\BYOLChecker.ps1

  6. If a security notification appears, press the R key to Run Once.

  7. In the WorkSpaces Image Validation dialog box, choose Begin Tests.

  8. After each test is completed, you can view the status of the test. For any test with a status of FAILED, choose Info to display information about how to resolve the issue that caused the failure. If any tests display a status of WARNING, choose the Fix All Warnings button.

  9. If applicable, resolve any issues that cause test failures and warnings, and repeat Step 7 and Step 8 until the VM passes all tests. All failures and warnings must be resolved before you export the VM.

  10. The BYOL script checker generates two log files, BYOLPrevalidationlogYYYY-MM-DD_HHmmss.txt and ImageInfo.text. These files are located in the directory that contains the BYOL Checker script files.

    Tip

    Do not delete these files. If an issue occurs, they might be helpful in troubleshooting.

  11. After your VM passes all tests, you get a Validation Successful message. Review the VM locale settings displayed in the tool. To update the locale settings, follow these instructions in the Microsoft documentation and run the BYOL Checker script again.

  12. Shut down the VM and create a snapshot of it.

  13. Start the VM again. Choose Run Sysprep. If Sysprep is successful, your VM that you exported after Step 12 can be imported into Amazon Elastic Compute Cloud (Amazon EC2). Otherwise, review the Sysprep logs, roll back to the snapshot taken at Step 12, resolve the reported issues, take a new snapshot, and run the BYOL Checker script again.

    The most common reason that Sysprep fails is that the Modern AppX Packages are not uninstalled for all users. Use the Remove-AppxPackage PowerShell cmdlet to remove the AppX Packages.

  14. After you have successfully created your image, you can remove the WorkSpaces_BYOL account.

List of error messages and error fixes

PowerShell version 4.0 or later must be installed. For more information, see Microsoft Windows PowerShell.

Microsoft Office must be uninstalled before import. For more information, see Uninstall Office from a PC.

Uninstall the PCoIP Agent. For information about uninstalling the PCoIP agent, see Uninstalling the Teradici PCoIP Software Client for Mac

Disable Windows updates by following the following steps:

  1. Press Windows key + R. Type services.msc, then press Enter.

  2. Right-click on Windows Update, then choose Properties.

  3. Under the General tab, set the Startup type to Disabled.

  4. Choose Stop.

  5. Click Apply, and then choose OK.

  6. Restart your computer.

You must enable Automount. Run the following command in powershell as an administrator.

C:\> diskpart
DISKPART> automount enable

Automatic mounting of new volumes enabled.

WorkSpaces_BYOL account must be enabled. For more information, see Enable BYOL for your account for BYOL using the Amazon WorkSpaces console.

Network interface must be changed to use DHCP. For more information, see Change TCP/IP settings.

Local disk must have enough space and requires you to free up 20 GB or more.

Only the C and D drives can be present on a WorkSpace that's used for importing an image. Remove all other drives, including virtual drives.

Use a Windows 10 or Windows 11 operating system.

System must be unjoined from AD domain. For more information, see Azure Active Directory device management FAQ.

System must be unjoined from Azure domain. For more information, see Azure Active Directory device management FAQ.

Public firewall profile must be disabled. For more information, see Turn Microsoft Defender Firewall on or off.

VMWare tools must be uninstalled. For more information, see Uninstalling and manually installing VMware Tools in VMware Fusion (1014522).

The disk must be smaller than 80 GB. Reduce the disk size.

Volumes must be MBR partitioned for Windows 10 and GPT partitioned for Windows 11. For more information, see Manage disks.

Install all updates and reboot the operating system.

To disable the AutoLogon registry:

  1. Press Windows key + R and type Regedit.exe in the command prompt.

  2. Scroll down to HKEY_LOCAL_Machine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

  3. Add a value for DontDisplayLastUserName.

  4. For Type, enter REG_SZ.

  5. For Value, enter 0.

Note

  • The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC.

  • The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and AutoLogon will fail.

RealTimeUniversal Registry Key must be enabled. For more information, see Configure time settings for Windows Server 2008 and later.

Number of bootable partitions must not exceed one.

To remove additional partitions

  1. Press the Windows logo + R keys to open Run box. Enter msconfig and press the Enter key on the keyboard to open the System Configuration window.

  2. Choose the Boot tab from the window and check if the OS you want to use is set to Current OS; Default OS. If it isn't set, choose your desired OS from the window and choose Set as default on the same window.

  3. To delete another partition, choose that partition, then select Delete, Apply, OK.

If the error still shows up, boot your computer from the installation or repair disc, and follow these steps.

  1. Skip the initial languages screen, and then choose Repair your computer on the main install screen.

  2. On the Choose an option screen, choose Troubleshoot.

  3. On the Advanced options screen, choose Command Prompts.

  4. In the command prompt, enter bootrec.exe /fixmbr, then press Enter.

A 64 bit OS image must be used. For more information, see Windows versions supported for BYOL.

The Image Rearm count must not be 0. The rearm feature allows you to extend the activation period for the trial version of Windows. The Create Image process requires that the rearm count be a value other than 0.

To check the Windows rearm count

  1. On the Windows Start menu, choose Windows System, then choose Command Prompt.

  2. In the Command Prompt, enter cscript C:\Windows\System32\slmgr.vbs /dlv, and then press Enter.

  3. To reset the rearm count to a value other than 0. For more information, see Sysprep (Generalize) a Windows installation.

Windows must not have been upgraded from a previous version.

You must uninstall your antivirus software. Run BYOLChecker to get details for the antivirus software to uninstall.

The Legacy BIOS BootMode must be used for Windows 10.For more information, see Boot modes.

Step 4: Export the VM from your virtualization environment

To create an image for BYOL, you must first export the VM from your virtualization environment. The VM must be on a single volume with a maximum size of 70 GB and at least 10 GB of free space. For more information, see the documentation for your virtualization environment and Export Your VM from its Virtualization Environment in the VM Import/Export User Guide.

Step 5: Import the VM as an image into Amazon EC2

After you export your VM, review the requirements for importing Windows operating systems from a VM. Take action as needed. For more information, see VM Import/Export Requirements.

Note

Importing a VM with an encrypted disk is not supported. If you've opted in to default encryption for Amazon Elastic Block Store (Amazon EBS) volumes, you must deselect that option before importing your VM.

Import your VM into Amazon EC2 as an Amazon Machine Image (AMI). Use one of the following methods:

  • Use the import-image command with the AWS CLI. For more information, see import-image in the AWS CLI Command Reference.

  • Use the ImportImage API operation. For more information, see ImportImage in the Amazon EC2 API Reference.

For more information, see Importing a VM as an Image in the VM Import/Export User Guide.

Step 6: Create a BYOL image using the WorkSpaces console

Perform these steps to create an WorkSpaces BYOL image.

Note

To perform this procedure, verify that you have AWS Identity and Access Management (IAM) permissions to:

  • Call WorkSpaces ImportWorkspaceImage.

  • Call Amazon EC2 DescribeImages on the Amazon EC2 image that you want to use to create the BYOL image.

  • Call Amazon EC2 ModifyImageAttribute on the Amazon EC2 image that you want to use to create the BYOL image. Make sure that the launch permissions on the Amazon EC2 image are not restricted. The image must be shareable throughout the BYOL image creation process.

For an example IAM policy specific to BYOL WorkSpaces, see Identity and access management for WorkSpaces. For more information about working with IAM permissions, see Changing Permissions for an IAM User in the IAM User Guide.

To create a Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro bundle from your image, contact the AWS Support Center to get your account added to the allow list. After your account is on the allow list, you can use the AWS CLI import-workspace-image command to ingest the Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro image. For more information, see import-workspace-image in the AWS CLI Command Reference.

To create an image from the Windows VM

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Images.

  3. Choose Create BYOL image.

  4. On the Create BYOL image page, do the following:

    • For AMI ID, choose the EC2 Console link, and choose the Amazon EC2 image that you imported as described in the previous section (Step 5: Import the VM as an image into Amazon EC2). The image name must begin with ami- and be followed by the identifier for the AMI (for example, ami-1234567e).

    • For Image name, enter a unique name for the image.

    • For Description, enter a description to help you quickly identify the image.

    • For Instance type, choose the appropriate bundle type (either Regular, Graphics.g4dn, Graphics, or GraphicsPro), depending on which protocol you want to use for your image, either PCoIP or WorkSpaces Streaming Protocol (WSP). If you want to create a GraphicsPro.g4dn bundle, choose Graphics.g4dn. For non-GPU-enabled bundles (bundles other than Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro), choose Regular.

      Note

      Graphics.g4dn, GraphicsPro.g4dn, Graphics, and GraphicsPro images can be created only for the PCoIP protocol at this time.

    • (Optional) For Select applications, choose which version of Microsoft Office you want to subscribe to. For more information, see Add Microsoft Office to Your BYOL image.

    • (Optional) For Tags, choose Add new tag to associate tags with this image. For more information, see Tag WorkSpaces resources.

  5. Choose Create BYOL image.

    While your image is being created, the image's status on the Images page of the console appears as Pending. The BYOL ingestion process takes a minimum of 90 minutes. If you have subscribed to Office as well, expect the process to take a minimum of 3 hours.

    If the image validation does not succeed, the console displays an error code. When the image creation is complete, the status changes to Available.

Step 7: Create a custom bundle from the BYOL image

After your BYOL image is created, you can use the image to create a custom bundle. For information, see Create a custom WorkSpaces image and bundle.

Step 8: Register a dedicated directory for WorkSpaces

To use BYOL images for WorkSpaces, you must register a directory for this purpose.

To register a directory for WorkSpaces

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory and choose Actions, Register.

  4. In the Register directory dialog box, for Enable Dedicated WorkSpaces, choose Yes.

  5. Choose Register.

If you have already registered an AWS Managed Microsoft AD directory or an AD Connector directory for WorkSpaces that does not run on dedicated hardware, you can set up a new AWS Managed Microsoft AD directory or AD Connector directory for this purpose. You can also deregister the directory and then reregister it as a directory for dedicated WorkSpaces. To do so, perform these steps.

Note

You can only perform this procedure if no WorkSpaces are associated with the directory.

To deregister a directory and reregister it for dedicated WorkSpaces

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. Terminate existing WorkSpaces.

  3. In the navigation pane, choose Directories.

  4. Select the directory and choose Actions, Deregister.

  5. When prompted for confirmation, choose Deregister.

  6. Select the directory again and choose Actions, Register.

  7. In the Register directory dialog box, for Enable Dedicated WorkSpaces, choose Yes.

  8. Choose Register.

Step 9: Launch your BYOL WorkSpaces

After you register a directory for dedicated WorkSpaces, you can launch your BYOL WorkSpaces in this directory. For information about how to launch WorkSpaces, see Launch a virtual desktop using WorkSpaces.

You can use BYOL linking to link accounts and share BYOL configurations. BYOL configurations include the CIDR range used by your accounts and the images you use to create WorkSpaces with your Windows license. All accounts that are linked share the same underlying hardware infrastructure.

The account enabled for BYOL linking is the primary owner of the underlying hardware infrastructure, and is called the Source account. The Source account manages access to the underlying hardware infrastructure. Target accounts are the accounts that are linked to the Source account.

Important

APIs for BYOL account linking are not currently available in the AWS GovCloud (US) Region.

Note

The AWS accounts that you want to link with must be part of your organization and under the same payer account. You can only link accounts within the same Region.

To link the Source and Target accounts

  1. Send an invitation link from your Source account to the Target account by using the CreateAccountLinkInvitation API.

  2. Accept the pending link from your Target account by using the AcceptAccountLinkInvitation API.

  3. Verify the link has been established by using the GetAccountLink or ListAccountLinks API.